Archive for the ‘DMCA notice’ Category

We cover the amazing details of the Playstation Network breech, we share some of the most interesting details in this episode. Following the theme of service outages, Allan and Chris share their things to keep in mind when looking at hosted services.

Plus find out why the US Government is shutting down 137 data-centers, and we wrap up with another Dropbox controversy!

iTunes & RSS Feeds:

Show Notes:

Topic: PSN Security Breech

A new custom firmware allowed users to access the PSN development network

The development network accepts fake credit cards and is designed for testing

Users with access to this development network managed to pirate paid content

Someone then managed to compromised the PSN Developers network some time between April 17th and 19th

Sony took a number of days to admit that PSN had suffered an intrusion and that it would not be back online anytime soon.

Sony waited a week to tell customers their personal data has been exposed, likely hoping to avoid the PR black eye

Sony claims the Credit card database was encrypted

Encrypting credit cards with a single Symmetric key only provides limited protection. (The key must be accessible by the application that saves the card data, and so is likely to have been compromised along with the database)

Using Asymmetric keys can be an option, where the public key is used to encrypt the card, and only the private key can decrypt it, but if used pragmatically, the private key must be accessible by the application and therefore may be exposed as well.

Another trick is to AES encrypt each customers credit card with their password. This way the credit card can only be accessed by that customer, and cracking the encryption becomes a much bigger task, especially if the users password is stored using a cryptographic hash. A side effect of this is that the customer must re-enter their password when they wish to use the stored credit card, but this is actually good form anyway. A downside is if the credit card is required for subscription billing and it is encrypted such that the users password is required to read it.

Sony says the CVV numbers were not compromised because they do not collect them, and therefore never stored them. It is against the PCI DSS policy to store the CVV, this is explicitly so that when databases of credit cards are compromised, the CVV is not.

Sony says it is physically moving the PSN to a more secure facility. Was this a physical attack or an inside job? Was Sony outsourcing its network security to the data center?

Topic: When a cloud provider goes under

After the scare with amazon last week, a number of companies are reconsidering their choice of cloud provider, or of using the cloud at all. This brings to light a number of issues, especially vendor lock-in (how difficult it is to move from one cloud to another), and how much trust you put in the cloud provider from an information security prospective, as well as availability and the continued viability of their business model. Over the last number of months, 4 providers have closed down their clouds, leaving customers with many questions.

if you close your account, will your data be securely deleted?

their backups and replication will likely still have copies of your files even if they are “deleted”, this is why your data should be encrypted

if your data is encrypted and you hold the private keys, then you can ensure they can’t read it

if they hold the keys, and say they deleted them, that is better than nothing, but there are no guarantees

if the cloud goes under, how can you get your data back

if the cloud goes under, who will get your data in the end, will it be destroyed safely

Cloud is not primary storage, but acts as a convenient online archive.

Topic: US government to consolidate its data center operations

US government will close 137 data centers this year as it moves to consolidate and take advantage of the cloud. Will we see a bunch of these data centers bought up, or is the age of the small to medium sized data center over?

Government agencies have identified 100 email systems and 950,000 mailboxes to migrate to a cloud computing model as part of Kundra’s ‘Cloud First’ initiative.”

Topic: More security problems, Dropbox tries to kill an open source project to protect its security by obscurity

Using the hash of a file and an external app, you can add a specific non-public file to your dropbox via the dropbox de-duplication system (make dropbox think you uploaded it when you never actually had a copy of the file)

A simple brute force attack could net you all kinds of interesting files